sec325 bitlocker™ drive encryption deployment laura benofsky lead program manager windows...
TRANSCRIPT
SEC325BitLocker™ Drive Encryption Deployment
SEC325BitLocker™ Drive Encryption Deployment
Laura BenofskyLaura BenofskyLead Program ManagerLead Program ManagerWindows Security-System IntegrityWindows Security-System Integrity
AgendaAgenda
Business ImpactBusiness Impact
BitLocker™ OverviewBitLocker™ Overview
BitLocker™ RequirementsBitLocker™ Requirements
BitLocker™ Deployment Process BitLocker™ Deployment Process
BitLocker™ Administration & RecoveryBitLocker™ Administration & Recovery
Best PracticesBest Practices
Q&AQ&A
A large multi-national company, A large multi-national company, who wishes to remain who wishes to remain
anonymous, loses an average anonymous, loses an average of one corporate laptop per of one corporate laptop per business day in the taxicabs business day in the taxicabs
of just one US city… of just one US city…
The U.S. Dept of Justice estimates that intellectual The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004property theft cost enterprises $250 billion in 2004
Loss of revenue, market capitalization, and Loss of revenue, market capitalization, and competitive advantagecompetitive advantage
Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassing
Unintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or adversely impact the company’s image and/or credibilitycredibility
Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be Bringing a company into compliance can be complex and expensivecomplex and expensiveNon-compliance can lead to significant legal fees, Non-compliance can lead to significant legal fees, fines and/or settlementsfines and/or settlements
FinancialFinancialFinancialFinancial
Image & Image & CredibilityCredibilityImage & Image &
CredibilityCredibility
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Information Loss Is CostlyInformation Loss Is CostlyInformation loss – whether via theft or Information loss – whether via theft or accidental leakage – is costly on several accidental leakage – is costly on several levelslevels
BitLocker™ Drive Encryption OverviewBitLocker™ Drive Encryption Overview
BitLocker™ Design GoalsBitLocker™ Design Goals
BitLocker™ Drive Encryption gives you improved data BitLocker™ Drive Encryption gives you improved data protection on your Windows Vista and Windows Server protection on your Windows Vista and Windows Server codenamed “Longhorn” systemscodenamed “Longhorn” systems
Notebooks – Often stolen, easily lost in transitNotebooks – Often stolen, easily lost in transit
Desktops – Often stolen, difficult to safely decommissionDesktops – Often stolen, difficult to safely decommission
Servers – High value targets, often kept in insecure Servers – High value targets, often kept in insecure locationslocations
All three can contain very sensitive IP and customer dataAll three can contain very sensitive IP and customer data
Designed to provide a transparent user Designed to provide a transparent user experience that requires little to no interaction on experience that requires little to no interaction on a protected systema protected system
Prevents thieves from using another OS or Prevents thieves from using another OS or software hacking tool to break OS file and system software hacking tool to break OS file and system protectionsprotections
Prevents offline viewing of user data and OS filesPrevents offline viewing of user data and OS files
Provides enhanced data protection and boot validation Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2through use of a Trusted Platform Module (TPM) v1.2
BitLocker™ and TPM FeaturesBitLocker™ and TPM Features
BitLocker™ Drive BitLocker™ Drive EncryptionEncryption
Encrypts entire volumeEncrypts entire volumeUses Trusted Platform Uses Trusted Platform Module (TPM) v1.2 to Module (TPM) v1.2 to validate pre-OS validate pre-OS componentscomponentsCustomizable protection Customizable protection and authentication and authentication methodsmethods
Pre-OS ProtectionPre-OS ProtectionUSB startup key, PIN, and USB startup key, PIN, and TPM-backed authenticationTPM-backed authentication
Single Microsoft Single Microsoft TPM DriverTPM Driver
Improved stability Improved stability and securityand security
TPM Base Services (TBS) TPM Base Services (TBS) Enables third party Enables third party applicationsapplications
Active Directory BackupActive Directory BackupAutomated key backupAutomated key backupto AD serverto AD server
Group Policy supportGroup Policy support
Scriptable InterfacesScriptable InterfacesTPM managementTPM management
BitLocker™ managementBitLocker™ management
Command-line toolCommand-line tool
Secure DecommissioningSecure DecommissioningWipe keys and repurposeWipe keys and repurpose
What Is A Trusted Platform What Is A Trusted Platform Module (TPM)?Module (TPM)?
Smartcard-like moduleSmartcard-like module
on the motherboard that:on the motherboard that:Performs cryptographic functionsPerforms cryptographic functions
RSA, SHA-1, RNGRSA, SHA-1, RNG
Meets encryption export requirementsMeets encryption export requirements
Can create, store and manage keysCan create, store and manage keysProvides a unique Endorsement Key Provides a unique Endorsement Key (EK)(EK)
Provides a unique Storage Root Key Provides a unique Storage Root Key (SRK)(SRK)
Performs digital signature Performs digital signature operationsoperations
Holds Platform Measurements Holds Platform Measurements (hashes)(hashes)
Anchors chain of trust for keys Anchors chain of trust for keys and credentialsand credentials
Protects itself against attacksProtects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
Why Use A TPM?Why Use A TPM?
Trusted Platforms use Roots-of-TrustTrusted Platforms use Roots-of-TrustA TPM is an implementation of a Root-of-TrustA TPM is an implementation of a Root-of-Trust
A hardware Root-of-Trust has distinct advantagesA hardware Root-of-Trust has distinct advantagesSoftware can be hacked by SoftwareSoftware can be hacked by Software
Difficult to root trust in software that has to validate itselfDifficult to root trust in software that has to validate itself
Hardware can be made to be robust against attacksHardware can be made to be robust against attacksCertified to be tamper resistantCertified to be tamper resistant
Hardware and software combined can protect root secretsHardware and software combined can protect root secretsbetter than software alonebetter than software alone
A TPM can ensure that keys and secrets are only A TPM can ensure that keys and secrets are only available for use when the environment is available for use when the environment is appropriateappropriate
Security can be tied to specific hardware and software Security can be tied to specific hardware and software configurationsconfigurations
BootBoot
Windows Partition ContainsWindows Partition Contains Encrypted OSEncrypted OS Encrypted Page FileEncrypted Page File Encrypted Temp FilesEncrypted Temp Files Encrypted DataEncrypted Data Encrypted Hibernation FileEncrypted Hibernation File
Boot PartitionBoot Partition Contains: MBR, Loader, Contains: MBR, Loader, Boot Utilities (Unencrypted, small)Boot Utilities (Unencrypted, small)
Where’s the Encryption Key?Where’s the Encryption Key?
1.1. SRKSRK (Storage Root Key) contained in (Storage Root Key) contained in TPMTPM
2.2. SRKSRK encrypts encrypts VEKVEK (Volume (Volume Encryption Key) protected by Encryption Key) protected by TPM/PIN/DongleTPM/PIN/Dongle
3.3. VEKVEK stored (encrypted by stored (encrypted by SRKSRK) on ) on hard drive in Boot Partitionhard drive in Boot Partition
VEKVEK22
33
WindowsWindows
SRKSRK
11
Disk Layout & Key StorageDisk Layout & Key Storage
Volume Blob of Target OS unlocked
All Boot Blobs unlocked
Static OS
BootSector
BootManager
Start OS
OS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
BitLocker™ ArchitectureBitLocker™ ArchitectureStatic Root of Trust Measurement of early boot Static Root of Trust Measurement of early boot componentscomponents
BitLockerTM in Windows VistaBitLockerTM in Windows Vista
BitLocker™ Requirements and DeploymentBitLocker™ Requirements and Deployment
Hardware RequirementsHardware Requirements
Trusted Platform Module (TPM) v1.2.Trusted Platform Module (TPM) v1.2.TCG-compliant (Trusted Computing Group) v1.2 BIOS.TCG-compliant (Trusted Computing Group) v1.2 BIOS.The system BIOS must support both reading and writing The system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system small files on a USB flash drive in the pre-operating system environment.environment.Computer must have at least two volumes to operate: Computer must have at least two volumes to operate:
Operating System VolumeOperating System VolumeMust be NTFSMust be NTFSContains Windows OS and its support files. Data on this Contains Windows OS and its support files. Data on this volume is protected by BitLocker. volume is protected by BitLocker.
System VolumeSystem VolumeMust be NTFS, must differ from OS Volume, must NOT be Must be NTFS, must differ from OS Volume, must NOT be encryptedencryptedContains hardware-specific files that are needed to load Contains hardware-specific files that are needed to load Windows after the BIOS has booted the platformWindows after the BIOS has booted the platform
Deployment ProcessDeployment Process
PlanPlanReview Existing Review Existing InfrastructureInfrastructure
Hardware RequirementsHardware Requirements
Check for Hardware Check for Hardware RequirementsRequirements
Key TPM ConceptsKey TPM Concepts
Talk with your OEMTalk with your OEM
BitLocker ProtectorsBitLocker Protectors
Define BitLocker Define BitLocker ConfigurationConfiguration
Define Security PolicyDefine Security Policy
Configure Active DirectoryConfigure Active Directory
Configure Group PolicyConfigure Group Policy
DeployDeployBitLocker Ready OS ImageBitLocker Ready OS Image
TPM Configuration ScriptTPM Configuration Script
BitLocker Configuration BitLocker Configuration ScriptScript
SupportSupportBitLocker ServicingBitLocker Servicing
Review Existing Review Existing Infrastructure Infrastructure
How and when are new machines configured?How and when are new machines configured? eg. OEM preconfigured, PXE boot WinPE, staging environment, eg. OEM preconfigured, PXE boot WinPE, staging environment,
etc…etc…
Do you plan to deploy BitLocker on non-TPM Do you plan to deploy BitLocker on non-TPM machines?machines?
What is the OS Deployment method used?What is the OS Deployment method used? eg. Imaging, unattended setupeg. Imaging, unattended setup
What is the Application Delivery Method?What is the Application Delivery Method? eg. Integrated with Image, scripted unattend install etc…eg. Integrated with Image, scripted unattend install etc…
How are updates/patches being applied? How are updates/patches being applied?
Plan
Deploy
Support
Key TPM ConceptsKey TPM Concepts
Physical PresencePhysical PresencePhysical presence implies direct interaction by Physical presence implies direct interaction by a person with the platform to perform basic a person with the platform to perform basic administrative tasks and to bootstrap administrative tasks and to bootstrap management and access control mechanismsmanagement and access control mechanisms
Endorsement KeyEndorsement KeyEndorsement key(EK) is an RSA key pair. A Endorsement key(EK) is an RSA key pair. A given TPM must be associated with one and given TPM must be associated with one and only one EK for a TPM to function properlyonly one EK for a TPM to function properly
TPM StatesTPM StatesOn – The TPM should be enabled and activated. This On – The TPM should be enabled and activated. This requires Physical Presencerequires Physical PresenceOwned/Un-owned – A platform is owned when an EK Owned/Un-owned – A platform is owned when an EK exists and the true owner knows owner authorization exists and the true owner knows owner authorization data. BDE cannot use the TPM until it is in owned statedata. BDE cannot use the TPM until it is in owned state
Plan
Deploy
Support
Talk with your OEMTalk with your OEM
What is the state of the TPM when it is shipped to What is the state of the TPM when it is shipped to your organization?your organization?
Is the Endorsement Key already on the TPM?Is the Endorsement Key already on the TPM?
Does the OEM provide tools to automate Does the OEM provide tools to automate management management of TPM?of TPM?
How does the OEM implement Physical Presence?How does the OEM implement Physical Presence?
Do the existing machines without TPM devices Do the existing machines without TPM devices support USB devices at boot time?support USB devices at boot time?
Plan
Deploy
Support
Define Security PolicyDefine Security Policy
Recovery ScenariosRecovery ScenariosBroken Hardware Recovery ScenarioBroken Hardware Recovery Scenario
Hard drive moves to new systemHard drive moves to new system
Recovery using Control PanelRecovery using Control Panel
Attack Detected Recovery ScenarioAttack Detected Recovery ScenarioModified or Missing Boot Loader FilesModified or Missing Boot Loader Files
Boot mode RecoveryBoot mode Recovery
Missing Windows Critical Components ScenarioMissing Windows Critical Components ScenarioWinRE RecoveryWinRE Recovery
Recovery policiesRecovery policiesDefine policies per supported BitLocker configuration Define policies per supported BitLocker configuration
Develop recovery process flow per supported configuration Develop recovery process flow per supported configuration
In the event of recovery… determine root cause and track In the event of recovery… determine root cause and track
Recovery process should include identity checks for support Recovery process should include identity checks for support calls calls
Consider recovery material un-secure after used by non-secure Consider recovery material un-secure after used by non-secure party party
Regenerate new recovery material after use Regenerate new recovery material after use
Plan
Deploy
Support
Define Security PolicyDefine Security Policy
Key management policyKey management policyBackup recovery passwords to Active Directory Backup recovery passwords to Active Directory Consider using Recovery Keys along with Recovery Consider using Recovery Keys along with Recovery Passwords Passwords Save Recovery Keys to central location for support Save Recovery Keys to central location for support purposes purposes Backup key material to secure offline storage Backup key material to secure offline storage
Machine Retirement PolicyMachine Retirement PolicyForce Recovery on a drive without invalidating any saved Force Recovery on a drive without invalidating any saved recovery methodsrecovery methodsForce Recovery on a drive and invalidate all saved Force Recovery on a drive and invalidate all saved recovery methodsrecovery methodsRun Vista Format on a driveRun Vista Format on a drive
Automatically deletes all BitLocker key structures and then Automatically deletes all BitLocker key structures and then formats the driveformats the driveAvailable starting RC1Available starting RC1
Plan
Deploy
Support
Configure Active Configure Active DirectoryDirectory
To store BitLocker recovery information in active To store BitLocker recovery information in active directory: directory:
All domain controllers in the domain must be at least All domain controllers in the domain must be at least Windows Server 2003 SP1Windows Server 2003 SP1
Apply schema extensions to support additional attributesApply schema extensions to support additional attributes
If you have a Windows Longhorn domain controller in If you have a Windows Longhorn domain controller in your environment the schema extensions are already in your environment the schema extensions are already in place and no update is neededplace and no update is needed
Configure permissions on BitLocker and TPM Recovery Configure permissions on BitLocker and TPM Recovery Information Schema ObjectsInformation Schema Objects
If you have more than one AD forest, extend the If you have more than one AD forest, extend the schema in each forest that will have BitLocker schema in each forest that will have BitLocker machines machines
Give read permissions to users that will assist in Give read permissions to users that will assist in the event of recoverythe event of recovery
Plan
Deploy
Support
Configure Group PolicyConfigure Group Policy
BitLocker group policy settings include:BitLocker group policy settings include:Turn on AD backup of BDE recovery information Turn on AD backup of BDE recovery information
Turn on AD backup of TPM recovery informationTurn on AD backup of TPM recovery information
Configure UI experience Configure UI experience
Consider enabling power management Consider enabling power management control for BitLocker enabled machinescontrol for BitLocker enabled machines
Limit machines from automatically enter sleep Limit machines from automatically enter sleep (default)(default)
Keep users from changing this configurationKeep users from changing this configuration
Plan
Deploy
Support
BitLocker Ready OS Image BitLocker Ready OS Image
To create OS Image To create OS Image Install Windows Vista on a reference Machine that meets Install Windows Vista on a reference Machine that meets BitLocker partition requirements. Install any applications.BitLocker partition requirements. Install any applications.
Run Sysprep and generalize the machineRun Sysprep and generalize the machine
Boot into Windows PE to capture the system and OS partition Boot into Windows PE to capture the system and OS partition using ImageXusing ImageX
For unattended installation replace the default Vista wim file For unattended installation replace the default Vista wim file with new OS wim file created in the previous step. Now initiate with new OS wim file created in the previous step. Now initiate unattend install using PXE Boot, Windows PE Boot etc…unattend install using PXE Boot, Windows PE Boot etc…
For Image based deployment create the partitions using For Image based deployment create the partitions using diskpart. Use ImageX to apply the System and OS wim files diskpart. Use ImageX to apply the System and OS wim files created earlier to the partitionscreated earlier to the partitions
WAIK and OPKWAIK and OPKEnsure that BitLocker partitions are defined within the Setup Ensure that BitLocker partitions are defined within the Setup Node when you are describing Vista Setup via System Image Node when you are describing Vista Setup via System Image ManagerManager
SMS OSD Vista update does not support multi-partition. You SMS OSD Vista update does not support multi-partition. You will need to write a script that uses Diskpart to create the will need to write a script that uses Diskpart to create the required partitionsrequired partitions
Plan
Deploy
Support
TPM Configuration ScriptTPM Configuration Script
Computer with TPM 1.2 for which EK has been Computer with TPM 1.2 for which EK has been created by OEM. Need to turn on the TPM and created by OEM. Need to turn on the TPM and take ownership. take ownership.
Using Manage-BDEUsing Manage-BDEManage-bde.wsf Manage-bde.wsf –tpm –TurnOn–tpm –TurnOn
Manage-bde.wsf Manage-bde.wsf –tpm –TakeOwnership Password–tpm –TakeOwnership Password
Using WMIUsing WMICall Call SetPysicalPresenceRequest(10)SetPysicalPresenceRequest(10) to enable, activate and to enable, activate and allow the installation of a TPM owner using physical presence. A allow the installation of a TPM owner using physical presence. A computer restart will be required. computer restart will be required.
Call Call ConvertToOwnerAuthConvertToOwnerAuth to create owner authorization to create owner authorization valuevalue
Call Call TakeOwnershipTakeOwnership to set an owner for the TPM to set an owner for the TPM
Plan
Deploy
Support
BitLocker Configuration BitLocker Configuration ScriptScript Enable BitLocker using TPM only on a computer that is Enable BitLocker using TPM only on a computer that is
BitLocker compliant. You want to be able to recover the BitLocker compliant. You want to be able to recover the volume in case of attack, computer damage etc…volume in case of attack, computer damage etc…
Using Manage-BDEUsing Manage-BDEManage-bde.wsf Manage-bde.wsf -on -recoverypassword c:-on -recoverypassword c:
Manage-bde.wsf Manage-bde.wsf –status c:–status c:
Using WMIUsing WMICall methods beginning with Call methods beginning with ProtectKey ProtectKey to secure the encryption key for the to secure the encryption key for the volume. Make sure to include key protectors that can be used in recovery volume. Make sure to include key protectors that can be used in recovery scenarios. For example: scenarios. For example:
ProtectKeyWithTPMProtectKeyWithTPM
ProtectKeyWithNumericalPasswordProtectKeyWithNumericalPassword
Call Call EncryptEncrypt to begin conversion of the volume to begin conversion of the volume
Conversion is complete when Conversion is complete when GetConversionStatusGetConversionStatus indicates that the volume indicates that the volume is fully encryptedis fully encrypted
Call Call GetProtectionStatusGetProtectionStatus to ensure that BitLocker protection is on to ensure that BitLocker protection is on
Plan
Deploy
Support
BitLocker ServicingBitLocker Servicing
Things you should know when upgrading components on Things you should know when upgrading components on BitLocker enabled machineBitLocker enabled machineFor BIOS firmwareFor BIOS firmware
BIOS is hashed by the TPM so servicing requires resealing of the BIOS is hashed by the TPM so servicing requires resealing of the keys.keys.Always enter disabled mode prior to BIOS update.Always enter disabled mode prior to BIOS update.Failure to enter disabled mode will trigger recoveryFailure to enter disabled mode will trigger recoveryDisabled mode is an operation mode that does not decrypt the Disabled mode is an operation mode that does not decrypt the drive and allows component upgrades. drive and allows component upgrades.
For OS updatesFor OS updatesPatch sent through Windows UpdatePatch sent through Windows UpdateSignature chain is automatically verified to establish trustSignature chain is automatically verified to establish trustDoes not require entering disabled modeDoes not require entering disabled mode
Other updates (e.g. apps)Other updates (e.g. apps)Patch sent by app/software vendorsPatch sent by app/software vendorsMay require resealing or entering disabled modeMay require resealing or entering disabled mode
Plan
Deploy
Support
BitLocker™ Recovery ScenariosBitLocker™ Recovery Scenarios
Lost/Forgotten Authentication MethodsLost/Forgotten Authentication MethodsLost USB key, user forgets PINLost USB key, user forgets PIN
Upgrade to Core FilesUpgrade to Core FilesUnanticipated change to pre-OS filesUnanticipated change to pre-OS files(BIOS upgrade, etc…)(BIOS upgrade, etc…)
Broken HardwareBroken HardwareHard drive moved to a new systemHard drive moved to a new system
Deliberate AttackDeliberate AttackModified or missing pre-OS filesModified or missing pre-OS files(Hacked BIOS, MBR, etc…)(Hacked BIOS, MBR, etc…)
BitLocker™ Recovery MethodsBitLocker™ Recovery Methods
Recommended method for domain-joined Recommended method for domain-joined machinesmachines
Automate key backups through BitLocker™ SetupAutomate key backups through BitLocker™ SetupConfigure group policy to store keys in Active DirectoryConfigure group policy to store keys in Active Directory
Provides centralized storage and management of keysProvides centralized storage and management of keys
Recommended methods for non domain-joined Recommended methods for non domain-joined machinesmachines
Back up to a USB flash deviceBack up to a USB flash device
Back up to a web-based key storage serviceBack up to a web-based key storage service““Windows Ultimate Extras” – Provides a free key storage Windows Ultimate Extras” – Provides a free key storage service for home users or unmanaged environmentsservice for home users or unmanaged environments
Potential OEM or 3rd-party service for key storagePotential OEM or 3rd-party service for key storage
Back up to a fileBack up to a file
Print or record to physical mediaPrint or record to physical media
BitLocker Best PracticesBitLocker Best Practices
Create and securely store recovery information: Create and securely store recovery information: set up and validate recovery processes that set up and validate recovery processes that include a way to track the number of recovery include a way to track the number of recovery requests, a way to determine root cause of requests, a way to determine root cause of recovery requests and a way to ensure that recovery requests and a way to ensure that requests are from legitimate users. requests are from legitimate users.
Keep BitLocker protection enabled, or turn Keep BitLocker protection enabled, or turn protection off by decrypting the disk; temporarily protection off by decrypting the disk; temporarily disable BitLocker only for planned upgrade disable BitLocker only for planned upgrade scenariosscenarios
Avoid putting your computer in standby or hybrid Avoid putting your computer in standby or hybrid sleep mode; configure your computer to hibernate sleep mode; configure your computer to hibernate or power off or power off
TPM Best PracticesTPM Best Practices
TPM must be physically secured to the TPM must be physically secured to the motherboardmotherboard
TPM that comes from the OEM with an TPM that comes from the OEM with an Endorsement KeyEndorsement Key
A platform that supports direct user input A platform that supports direct user input (not automated) to prove physical (not automated) to prove physical presence when committing important presence when committing important changes to the TPMchanges to the TPM
Initialize the TPM before deploying the Initialize the TPM before deploying the platform to end users when possibleplatform to end users when possible
OEM should digitally sign and verify the OEM should digitally sign and verify the TPM and BIOS firmware patchesTPM and BIOS firmware patches
Additional ResourcesAdditional Resources
Web ResourcesWeb ResourcesWindows Vista BitLocker Client Platform RequirementsWindows Vista BitLocker Client Platform Requirements
http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockhttp://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerReq.mspxerReq.mspx
Specs and Whitepapers Specs and Whitepapers http://www.microsoft.com/whdc/system/platform/hwsecurity/default.http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspxmspx
Windows Logo Program TestingWindows Logo Program Testinghttp://www.microsoft.com/http://www.microsoft.com/whdc/GetStart/testing.mspxwhdc/GetStart/testing.mspx
Trusted Computing Group (TCG) WebsiteTrusted Computing Group (TCG) Websitehttp://www.trustedcomputinggroup.orghttp://www.trustedcomputinggroup.org
BitLocker™ Questions or IdeasBitLocker™ Questions or Ideas e-mail: e-mail: [email protected]@microsoft.com
BitLocker™ BlogBitLocker™ Bloghttp://http://blogs.msdn.com/si_team/default.aspxblogs.msdn.com/si_team/default.aspx
Fill out a session Fill out a session evaluation on evaluation on
CommNet andCommNet and Win an XBOX Win an XBOX
360!360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
AppendixAppendix
BitLocker ProtectorsBitLocker ProtectorsTPM TPM A security hardware that provides a hardware-based root of trust and A security hardware that provides a hardware-based root of trust and
can be leveraged to provide a variety of cryptographic services . can be leveraged to provide a variety of cryptographic services . BitLocker only supports TPM v1.2 and above.BitLocker only supports TPM v1.2 and above.
PIN PIN The PIN can have 4 to 20 digits, and internally is stored as a 256-bit The PIN can have 4 to 20 digits, and internally is stored as a 256-bit
hash of the entered Unicode characters. This value is never displayed hash of the entered Unicode characters. This value is never displayed back to the user in any form or for any reason. The PIN is used to back to the user in any form or for any reason. The PIN is used to provide another factor of protection in conjunction with provide another factor of protection in conjunction with TPMTPM authentication.authentication.
Startup Key Startup Key The startup key is an encrypted file that can be stored on USB flash The startup key is an encrypted file that can be stored on USB flash
drive. This protector can be used alone on non-TPM machines or in drive. This protector can be used alone on non-TPM machines or in conjunction with a TPM for added security.conjunction with a TPM for added security.
Recovery Password Recovery Password This protector is a 48 character numeric number that is used to unlock a This protector is a 48 character numeric number that is used to unlock a
volume. This password must be entered at boot time in the event a volume. This password must be entered at boot time in the event a recovery is needed using the function keys.recovery is needed using the function keys.
Recovery Key Recovery Key Key used for recovering data encrypted on a BitLocker volume. This key Key used for recovering data encrypted on a BitLocker volume. This key
is cryptographically equivalent to a Startup Key, and is not the same as is cryptographically equivalent to a Startup Key, and is not the same as the recovery password.the recovery password.
A
1B
2
BitLocker Drive Encryption Components
APrimary VolumeWindow volumeBoot Volume
B Secondary volume (optional)Non boot volume
1 TPMSecure Hardware
2 Startup KeySecondary key
3 PINSecondary key
Recovery Keys
Recovery Password File
Recovery Password
System Requirements: Vista Enterprise or Ultimate, 2 partitions, TCG BIOS
5
4
3
AD
Key ArchitectureKey Architecture